Method and apparatus for establishing a dynamic multipoint encrypted virtual private network
First Claim
1. A method for dynamically establishing a secure virtual private network, the method comprising the computer-implemented steps of:
- associating a network security policy with a virtual private network interface at a first network device, wherein the first network device comprises a spoke router;
sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first network device and requests an address resolution for a second network device, wherein the address resolution request specifies a virtual private network endpoint address of the second network device, and wherein the second network device comprises a second spoke router;
in response to sending said address resolution request, receiving input that indicates an association of said virtual private network endpoint address to a corresponding routable network address of said second network device, wherein said routable network address of the second network device is a dynamically assigned network address;
wherein the routers comprise routers in a communication network;
in response to the receiving said input that indicates said association, issuing, to a security protocol module at the first network device, a message that includes the routable network address of the second network device and the network security policy associated with the virtual private network interface at the first network device;
receiving said message at said security protocol module at said first network device;
in response to receiving said message at said security protocol module, generating encryption state information for encrypting and transmitting network traffic from the first network device to the second network device, based on the message;
wherein the encryption state information includes one or more of;
routable network address information,encapsulation protocol information, orsecurity policy information.
1 Assignment
0 Petitions
Accused Products
Abstract
A process is disclosed in which a security policy is associated with a virtual private network (VPN) interface at a first device, for example, a router. Input is received specifying an association of a VPN endpoint address to a corresponding routable network address of a second device. A message is issued to a security module at the first device, the message including the routable network address of the second device and the security policy. Encryption state information is generated for network traffic from the first device to the second device, based on the message. The process is applicable to a hub-and-spoke network architecture that utilizes a point-to-multipoint GRE tunnel and the IPsec protocol for security. The process is dynamic in that the encryption state is generated for traffic over a VPN link, in response to notification of a virtual address-to-real address mapping, i.e., the association. In an embodiment, the association is an NHRP mapping.
118 Citations
26 Claims
-
1. A method for dynamically establishing a secure virtual private network, the method comprising the computer-implemented steps of:
-
associating a network security policy with a virtual private network interface at a first network device, wherein the first network device comprises a spoke router; sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first network device and requests an address resolution for a second network device, wherein the address resolution request specifies a virtual private network endpoint address of the second network device, and wherein the second network device comprises a second spoke router; in response to sending said address resolution request, receiving input that indicates an association of said virtual private network endpoint address to a corresponding routable network address of said second network device, wherein said routable network address of the second network device is a dynamically assigned network address; wherein the routers comprise routers in a communication network; in response to the receiving said input that indicates said association, issuing, to a security protocol module at the first network device, a message that includes the routable network address of the second network device and the network security policy associated with the virtual private network interface at the first network device; receiving said message at said security protocol module at said first network device; in response to receiving said message at said security protocol module, generating encryption state information for encrypting and transmitting network traffic from the first network device to the second network device, based on the message; wherein the encryption state information includes one or more of; routable network address information, encapsulation protocol information, or security policy information. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for dynamically establishing a secure multipoint virtual private network, the method comprising the computer-implemented steps of:
-
configuring a virtual private network interface on a first router by executing one or more configuration commands associated with the first router, wherein the first router comprises a spoke router; sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first router and requests an address resolution for a second router, wherein the address resolution request specifies a virtual private network endpoint address of the second router, and wherein the second router comprises a second spoke router; in response to sending said address resolution request, receiving at the virtual private network interface input that indicates a n association of said virtual private network endpoint address and a corresponding routable network address of said second router, based on one or more configuration commands associated with the first router, wherein said routable network address of the second router is a dynamically assigned network address; wherein the routers comprise routers in a communication network; in response to the receiving said input that indicates said association, receiving at a security protocol module at the first router a message that includes the routable network address of the second router and a network security policy associated with the virtual private network interface at the first router; and in response to receiving said message at said security protocol module, generating encryption state information for encrypting and transmitting network traffic from the first router to the second router, based on the message; wherein the encryption state information includes one or more of; information relating to the routable network address, encapsulation protocol information, or the security policy information. - View Dependent Claims (9, 10)
-
-
11. An apparatus for dynamically establishing a secure multipoint virtual private network, comprising:
-
a virtual private network interface, configured in association with a first routable network address that relates to a first router, and configured to access encryption policy information associated with traffic transmitted from the virtual private network interface; an address resolution module communicatively coupled to the virtual private network interface and an encryption module, the address resolution module, configured to send an address resolution request to an address resolution server, wherein the address resolution request is sent by the first router and requests an address resolution for a second router, wherein the address resolution request specifies a virtual private network endpoint address of the second router, and wherein the second router comprises a second spoke router, and configured to receive, in response to sending said address resolution request, input that indicates an association of said virtual private network endpoint address to a corresponding second routable network address of said second router, wherein the second routable network address is a dynamically assigned network address, and configured to issue to said encryption module, in response to receiving said input that indicates said association, a message that includes the second routable network address of the second network device and the encryption policy information associated with traffic transmitted from the virtual private network interface; said encryption module communicatively coupled to the address resolution module, the encryption module, configured to receive said message from said address resolution module, configured to establish, in response to receiving the message, a security association related to network traffic transmitted from the first routable network address to the second routable network address, configured to encrypt network traffic according to the encryption policy information, wherein the security association references the encryption policy information and a secret key for encrypting and decrypting traffic transmitted between the first routable network address and the second routable network address, and configured to generate, in response to receiving said message, encryption state information for encrypting and transmitting the network traffic from the first routable network address to the second routable network address, based on the message; wherein the encryption state information includes one or more of; routable network address information, encapsulation protocol information, or security policy information; wherein the routers comprise routers in a communication network; an Internet key exchange module configured to negotiate an exchange of the secret key between the encryption module and a second encryption module configured on a device associated with the second routable network address. - View Dependent Claims (12, 22, 23, 24, 25, 26)
-
-
13. A computer-readable medium storing one or more sequences of instructions for dynamically establishing a secure virtual private network, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
associating a network security policy with a virtual private network interface at a first network device, wherein the first network device comprises a first spoke router; sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first network device and requests an address resolution for a second network device, wherein the address resolution request specifies a virtual private network endpoint address of the second network device, and wherein the second network device comprises a second spoke router; in response to sending said address resolution request, receiving input specifying that an association of said virtual private network endpoint address to a corresponding routable network address of said second network device, wherein said routable network address of the second network device is a dynamically assigned network address wherein the second network device comprises a second spoke router; wherein the routers comprise routers in a communication network; in response to the receiving said input that indicates said association, issuing to a security protocol module at the first network device a message that includes the routable network address of the second network device and the network security policy associated with the virtual private network interface at the first network device; receiving said message at said security protocol module at said first network device; in response to receiving said message at said security protocol module, generating encryption state information for encrypting and transmitting network traffic from the first network device to the second network device, based on the message;
wherein the encryption state information includes one or more of;routable network address information, encapsulation protocol information, or security policy information.
-
-
14. An apparatus for dynamically establishing a secure virtual private network, comprising:
-
means for associating a network security policy with a virtual private network interface at a first network device, wherein the first network device comprises a first spoke router; means for sending an address resolution request to an address resolution server, wherein the address resolution request is sent by the first network device and requests an address resolution for a second network device, wherein the address resolution requests specifies a virtual private network endpoint address of the second network device, and wherein the second network device comprises a second spoke router; means for receiving, in response to sending said address resolution request, input that indicates an association of said virtual private network endpoint address to a corresponding routable network address of said second network device, wherein said routable network address of the second network device is a dynamically assigned network address; wherein the routers comprises routers in a communication network; means for issuing, in response to receiving said input that indicates said association, to a security protocol module at the first network device, a message that includes the routable network address of the second network device and the network security policy associated with the virtual private network interface at the first network device; means for receiving said message at said security protocol module at said first network device; means for generating, in response to receiving said message at said security protocol module, encryption state information for encrypting and transmitting network traffic from the first network device to the second network device, based on the message; wherein the encryption state information includes one or more of; routable network address information, encapsulation protocol information, or security policy information. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification